Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

passage: add support for multiple identity files #52

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

passage: add support for multiple identity files #52

wants to merge 1 commit into from

Conversation

remko
Copy link
Contributor

@remko remko commented Apr 10, 2024

Resolves #51

  • If identities is a directory, pass all files in that directory in alphabetical order as -i arguments to age
  • Pass all -i arguments as AGE_IDENTITY_ARGS variable to extensions.
  • Pass first identity as IDENTITIES_FILE to extensions for backwards compatibility.

@pnelson
Copy link

pnelson commented Aug 7, 2024

Thanks for your work. Actually the current documentation for usage with Yubikey is rather confusing without this as it seems to imply multiple identities work:

passage/README

Line 54 in 42cb195

age-plugin-yubikey --identity >> $HOME/.passage/identities

But in practice trying to show a password...

age: error: reading "~/.passage/identities": failed to read "~/.passage/identities": invalid armor: trailing data after armored file

@pnelson
Copy link

pnelson commented Aug 7, 2024

I see you've already identified this in your original issue #51:

Passage only looks in one identities file, and as far as I know, I cannot combine passphrase-protected age keys and non-password-protected keys (such as the secure enclave one) in one identities file, so I can't make passage behave this way. It does work with age directly when I pass both identities in the correct order.

I guess this documentation could be improved upon but now I'm realizing it is not necessarily as closely related to this PR as I had originally thought.

@jhvst
Copy link

jhvst commented Oct 21, 2024

I was able to replicate this feature here: jhvst/nix-config@f5592dc

I use a Yubikey HMAC and a Trezor. Would be nice to see this merged!

@mntn-xyz

This comment was marked as resolved.

Sign in to view
This was referenced Dec 12, 2024
Closed
Open
@remko
Copy link
Contributor Author

remko commented Dec 12, 2024
edited
Loading

@mntn-xyz Encrypting to multiple keys (e.g. for backup), and decrypting with the identity that is available is already supported by Passage. The same applies to your use case for a shared repository of secrets. Encryption can use recipients files (which can have multiple recipients).

What this PR is about is when a single user needs to use multiple private keys for decryption 'simultaneously' (i.e. some secrets are encrypted using one secret of this user, other secrets using another of this user).

This PR has no impact on age plugins, only on Passage plugins. Age plugins are handed all identities in order, something that has always been supported. I'm not sure why age-plugin-fido2-hmac would only try the first identity.

@mntn-xyz
Copy link

@remko Thanks for the clarification. I think I just misunderstood the purpose of this due to the discussion of Yubikeys. I was working late on this and it sounded like this was about passing additional identities to age and then to age plugins. I see now you mentioned "extensions" here, not plugins, and honestly I wasn't even aware that passage had extensions! TIL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow multiple identities files
4 participants
@remko @pnelson @jhvst @mntn-xyz